Stealing Your Bitcoin Transactions from Your Own Browser


Masad Stealer: Exfiltrating using Telegram

masad_ad_blackmarket1.png
Juniper Threat Labs discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information. Using Telegram as a Command and Control (CnC) channel allows the malware some anonymity, as Telegram is a legitimate messaging application with 200 million monthly active users. 
The malware is being advertised on black market forums as “Masad Clipper and Stealer”. It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.
Masad Stealer sends all of the information it collects - and receive commands from - a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers.

What it does 

This malware is written using Autoit scripts and then compiled into a Windows executable. Most samples we have seen are about 1.5 MiB in size, however, Masad Stealer can be found in larger executables as it is sometimes bundled into other software.
When Masad Stealer is executed, it drops itself in %APPDATA%\folder_name}\{file_name}, where folder_name and file_name are defined in the binary. Examples include amd64_usbhub3.inf.resources and ws2_32.exe, respectively. As a persistence mechanism, mMasad Stealer creates a scheduled task that will start itself every one minute.
schtask.png
Stealing routine
After installing itself, Masad Stealer starts by collecting sensitive information from the system, such as:
Cryptocurrency Wallets
PC and system information
Credit Card Browser Data
Browser passwords
Installed software and processes
Desktop Files
Screenshot of Desktop
Browser cookies
Steam files
AutoFill browser fields
Discord and Telegram data
FileZilla files
It zips this information into a file using 7zip utility, which is bundled into the malware binary.
stolen_info.png

The above screenshot is a view of what Masad Stealer tries to exfiltrate from a sandbox. But the data that it can exfiltrate can expand to the following list:
stolen_info_complete.png
Using a hardcoded bot token, which is basically a way to communicate with the Command and Control bot, Masad Stealer sends this zip file using the sendDocument API.
sendDocumentAPI.png
In order to communicate with the Command and Control bot, Masad Stealer first sends a getMe message using the bot token to be able to confirm that the bot is still active. Upon receiving this request, the bot replies with the user object that contains the username of the bot. This username object is useful for identifying possible threat actors related to this malware. This is an important consideration because of the off-the-shelf nature of this malware - multiple parties will be operating Masad Stealer instances for different purposes.
telegram_bot_getme.png
Where the bot’s token is “719604859:AAE3Pg_oJ8cPgTxKzDtysU-3Zpj6hsBxNqI”.

Clipping Routine

This malware includes a function that replaces wallets on the clipboard, as soon as it matches a particular configuration. Below are the regular expressions and supported wallets that it matches against the clipboard data:
clipping_regex.png
Below is a list of coins/wallet it tries to clip:
Monero
Bitcoin Cash
Litecoin
Neo
Web Money
ADA
ZCASH
DogeCoin
Stratis
QIWI Pay
Bicond
Waves
Reddcoin
Qtum
Payeer
Bytecoin
Bitcoin
Black Coin
VIA
Steam Trade Link
Bitcoin Gold
Emercoin
Lisk
Ethereum
Dash
Ripple
Yandex Money
If the clipboard data matches one of the patterns coded into Masad Stealer, the malware replaces the clipboard data with one of the threat actors’ wallets, which are also found in its binary. Below are the bitcoin and monero wallets found in one of the samples:

Bitcoin: 1AtwyYF2TGR969cyRDrR2XFDqSPzwCXKfe

Monero: 42Mm9gjuUSmPNr7aF1ZbQC6dcTeSi1MgB1Tv41frv1ZRFWLn4wNoLH3LDAGn9Fg2dhJW2VRHTz8Fo9ZAit951D2pDY8ggCR

Below is a snapshot of the bitcoin wallet transaction, as of this writing. This wallet has already received around $9,000 USD equivalent of bitcoins (as of Sept 15, 2019), which may or may not come from the activity of this malware.
sample_fraudulent_bitcoin_wallet.png

Attack Vector

Based on our telemetry, Masad Stealer’s main distribution vectors are masquerading as a legitimate tool or bundling themselves into third party tools. Threat actors achieve end user downloads by advertising in forums, on third party download sites or on file sharing sites. Below are the currently known list of software that Masad Stealer has been seen mimicking:
ProxySwitcher (legitimate version here: https://www.proxyswitcher.com/)
CCleaner.exe (legitimate version here: https://ccleaner.com/)
Utilman.exe (legitimate version comes with Windows)
Netsh.exe (legitimate version comes with Windows)
Iobit v 1.7.exe (legitimate version here: https://www.iobit.com/)
Base Creator v1.3.1 [FULL CRACK].exe (there is no legitimate version)
EXEA HACK CRACKED (PUBG,CS GO,FORTNITE,GTA 5,DOTA).exe ( there is no legitimate version)
 Icacls.exe (legitimate version comes with Windows)
WSManHTTPConfig.exe (legitimate version comes with Windows)
RADMIR CHEAT MONEYY.exe (there is no legitimate version)
Tradebot_binance.exe (legitimate version here: https://tradesanta.com/en)
Whoami.exe (legitimate version comes with Windows)
Proxo Bootstrapper.exe (this is actually a reasonably popular form of malware)
Fortniteaimbot  2019.exe (there is no legitimate version) 
Galaxy Software Update.exe (https://www.samsung.com/us/support/answer/ANS00077582/)


Download additional malware
 Some samples of Masad Stealer have the capability to download additional malware. We have seen samples that download other malware, usually a miner, from these URLs:
https://masadsasad[.]moy.su/base.txt (miner)
https://zuuse[.]000webhostapp.com/mi.exe (miner)
http://37[.]230.210.84/still/Build.exe
http://37[.]230.210.84/still/SoranoMiner.exe
http://187[.]ip-54-36-162.eu/steal.exe
http://bgtyu73[.]ru/22/Build.exe
The figure below is a response from the request to https://masadsasad[.]moy.su/base.txt. This response contains an executable file with modified header. In addition to connecting via TLS, the modified header is an added trick by the malware to hide itself.
download_miner.png


TLS streams are more difficult to inspect, helping to hide them from network-based security defenses. The modified header helps to hide the fact that the payload being downloaded is an executable from endpoint security products.

Threat Actors
This malware is being advertised in several hack forums as Masad Stealer. It starts with a free version and ladders up to versions asking up to $85, with each tier of the malware offering different features.
There is at least one dedicated website (masadproject[.]life) in existence to promote the sale of Masad Stealer. The developers have also created a Telegram group for their potential clients, and presumably to offer tech support.  At time of writing, this group has more than 300 members.
masad_telegram_support.png
Of the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command and Control bot IDs. From this data, we can estimate the number of threat actors - or at least the number of different campaigns being run using the Masad Stealer malware - and the size of their operations. We used the getMe API, along with the bot token, to identify the usernames. Among the top bot IDs are as follows:
Telegram Bot ID
Telegram Bot Username
Unique Hashes
bot610711208
potterk_bot
45
bot830353220
reaper228bot
24
bot661438794
RanisYolo19_bot
23
bot796671289
dfsklnjfmkdvehfsf454sdfbot
22
bot870978042
dawdvwabot
20
bot753197414
korote_bot
14
bot823037532
NA/Inactive
13
bot699800942
RcbBots_Bot
13
bot831297312
xAmytBot
13
bot883608782
bichpaket777_bot
12
bot656889928
notius_bot
12
bot813438470
idontknowubot
12
bot911603667
Masat_bot
11
bot963764792
NA/Inactive
11
bot930786995
reborntodes_bot
9
bot884837464
istrong_bot
9
bot646596033
SkyDen_bot
9
bot865594389
gnoy199519bot]
8

Previous versions of this malware (or possibly a direct ancestor) are called “Qulab Stealer”.

How does Juniper Networks protect you against this?

Juniper Advanced Threat Protection products JATP and Sky ATP use machine learning to be able to accurately identify malware. The following images show the Sky ATP detecting multiple variations of this malware.
skyatp_detecttions.png
The use of machine learning is critical to defending against this malware because of the number of rapid iterations it underwent throughout its development. Machine learning allows Juniper Connected Security to identify Masad Stealer variants as they emerge, helping to keep customers protected even before new strains have been identified.

Conclusion
Juniper Threat Labs believes that Masad Stealer represents an active and ongoing threat.  Command and Control bots are still alive and responding as of this writing, and the malware appears to still be available for purchase on the black market.
In order to protect your organization, make sure that you have a next generation firewall (NGFW) with Advanced Threat Protection. NGFWs have the ability to identify the Telegram protocol and block it, if there is no legitimate business use, while Advanced Threat Protection products offer other methods to detect and counteract this malware.
Juniper Sky ATP, in conjunction with our SRX firewall will block any client infected with Masad Stealer from reaching out to the Command and Control bot master. It will also block the download of the Masad Stealer malware files in the first place, offering both remediation and prevention capabilities.

Urls:

https://masadsasad[.]moy.su/base.txt 

https://zuuse[.]000webhostapp.com/mi.exe

http://37[.]230.210.84/still/Build.exe

http://37[.]230.210.84/still/SoranoMiner.exe

http://187[.]ip-54-36-162.eu/steal.exe

http://bgtyu73[.]ru/22/Build.exe


All Credit to  ,
from Juniper.net